info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Unrevocation of BT Class 2 CA - G2 CA Certificate
281 views
Skip to first unread message
Ben Wilson
Feb 28, 2018, 9:53:47 PM2/28/18
to mozilla-dev-s...@lists.mozilla.org
Wayne Thayer
Feb 28, 2018, 11:14:22 PM2/28/18
to Ben Wilson, mozilla-dev-s...@lists.mozilla.org
Here is the report Ben filed in the bug. He tried to send it to the list
but for some reason it was rejected as spam.
====================
Dear Mozilla Community,
As part of our efforts to meet the April 15 requirements imposed by the
Mozilla Root Store Policy v.2.5, DigiCert has been reviewing CAs that only
issue S/MIME and clientAuth certificates. To that effort, we have been
contacting our PKI partners to determine whether any CAs are no longer
active and can be revoked. As part of this process, we were informed by
British Telecom that the BT Class 2 CA - G2 (Cert. Serial No.
0bdf8169f3686b1c5e8496ba30110e05) could be revoked. The VeriSign Class 2
Public PCA - G3 is a root CA that does not have the serverAuth bit enabled
by Mozilla. It is the issuer of CA certificate BT Class 2 CA - G2, and on
6-February-2018 it issued CRL Number 00b0, including the above serial number
for the BT Class 2 CA - G2.
On 8-February-2018 we were notified that the public tender service of
Portugal was not working because a large majority of the certificates used
to create digital signatures on contracting documents were chained to the
revoked BT Class 2 CA - G2 certificate, i.e. that CA supported EU-qualified
certificates used for the digital signing of offers submitted to the
Portuguese government.
In an early attempt to resolve the issue on February 8, we re-signed the
particular EU-Qualified issuing CA with the BT Class 2 CA - G3, a
still-valid, unrevoked intermediate CA certificate. However, that effort
failed, and the possibilities of re-signing the BT Class 2 CA - G2 or
re-signing another EU Qualified CA with another unrevoked CA were rejected,
because (1) there were approximately 10,000 affected end-entity certificates
issued on smart cards, and all smart cards would have needed to be recalled
and reissued to install a new certificate chain; and (2) in order to use a
newly recertified CA, that CA would have needed to be submitted and approved
as trusted by the Portuguese government. Either of these approaches alone
was expected to take at least a month to accomplish. Another option of
educating end users on how to replace CA chains on their systems and cards
was rejected over concern about the ability of these users to accomplish the
task, with costly and substantial training efforts, also estimated to take
several weeks, and still with the risk that such efforts would fail.
On 9-February, the DigiCert Policy Authority was consulted and briefed on
the factors above, and the costs, time, and burdens on end users were
considered. Standards, such as RFC 5280, were also considered. DigiCert
contacted representatives of several browsers, including Mozilla, about its
decision to roll back the revocation. Given that the revocation had taken
place just three days prior and had resulted in significant burden to a
large subscriber population, the DigiCert Policy Authority decided to
remediate the revocation and publish a new CRL, number 00b1, (see
http://crl.verisign.com/pca2-g3.crl) omitting the serial number for the
previously revoked BT Class 2 CA - G2 certificate.
As a result of this incident, DigiCert will be implementing additional
steps, including working with cross-certified CAs and affected customers, to
exercise greater scrutiny in our CA certificate revocation request and
approval processes.
Sincerely yours,
Ben Wilson
on behalf of the DigiCert Policy Authority
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
but for some reason it was rejected as spam.
====================
Dear Mozilla Community,
As part of our efforts to meet the April 15 requirements imposed by the
Mozilla Root Store Policy v.2.5, DigiCert has been reviewing CAs that only
issue S/MIME and clientAuth certificates. To that effort, we have been
contacting our PKI partners to determine whether any CAs are no longer
active and can be revoked. As part of this process, we were informed by
British Telecom that the BT Class 2 CA - G2 (Cert. Serial No.
0bdf8169f3686b1c5e8496ba30110e05) could be revoked. The VeriSign Class 2
Public PCA - G3 is a root CA that does not have the serverAuth bit enabled
by Mozilla. It is the issuer of CA certificate BT Class 2 CA - G2, and on
6-February-2018 it issued CRL Number 00b0, including the above serial number
for the BT Class 2 CA - G2.
On 8-February-2018 we were notified that the public tender service of
Portugal was not working because a large majority of the certificates used
to create digital signatures on contracting documents were chained to the
revoked BT Class 2 CA - G2 certificate, i.e. that CA supported EU-qualified
certificates used for the digital signing of offers submitted to the
Portuguese government.
In an early attempt to resolve the issue on February 8, we re-signed the
particular EU-Qualified issuing CA with the BT Class 2 CA - G3, a
still-valid, unrevoked intermediate CA certificate. However, that effort
failed, and the possibilities of re-signing the BT Class 2 CA - G2 or
re-signing another EU Qualified CA with another unrevoked CA were rejected,
because (1) there were approximately 10,000 affected end-entity certificates
issued on smart cards, and all smart cards would have needed to be recalled
and reissued to install a new certificate chain; and (2) in order to use a
newly recertified CA, that CA would have needed to be submitted and approved
as trusted by the Portuguese government. Either of these approaches alone
was expected to take at least a month to accomplish. Another option of
educating end users on how to replace CA chains on their systems and cards
was rejected over concern about the ability of these users to accomplish the
task, with costly and substantial training efforts, also estimated to take
several weeks, and still with the risk that such efforts would fail.
On 9-February, the DigiCert Policy Authority was consulted and briefed on
the factors above, and the costs, time, and burdens on end users were
considered. Standards, such as RFC 5280, were also considered. DigiCert
contacted representatives of several browsers, including Mozilla, about its
decision to roll back the revocation. Given that the revocation had taken
place just three days prior and had resulted in significant burden to a
large subscriber population, the DigiCert Policy Authority decided to
remediate the revocation and publish a new CRL, number 00b1, (see
http://crl.verisign.com/pca2-g3.crl) omitting the serial number for the
previously revoked BT Class 2 CA - G2 certificate.
As a result of this incident, DigiCert will be implementing additional
steps, including working with cross-certified CAs and affected customers, to
exercise greater scrutiny in our CA certificate revocation request and
approval processes.
Sincerely yours,
Ben Wilson
on behalf of the DigiCert Policy Authority
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
0 new messages